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(54) AES Encryption circuit 

(57) A round processing unit in an encryption circuit 
comprises: a first Round Key Addition circuit (204) that 
adds a round key value to input data; an intermediate 
register/Shift Row transformation circuit (206) that tem- 
porarily stores the output of the first Round Key Addition 
circuit (204) and executes Shift Row transformation; a 
Byte Sub transformation circuit (207) into which the val- 
ues of the Intermediate register/Shift Row transforma- 
tion circuit (206) are inputted and which executes Byte 
Sub transformation; a second Round Key Addition cir- 
cuit (208) Into which the values of the intermediate reg- 
ister/Shift Row iransf ormation circuit (206) are Inputted 



and which adds round key values; a Mix Column trans- 
formation circuit (210) that executes Mix Column trans- 
formation upon the outputs of the second Round Key 
Addition cjreuit (208); and a second selector (203) that 
outputs to the second Round Key Addition circuit (204) 
one of the outputs of a first selector (202), the Interme- 
diate register/Shift Row transformation circuit (206), the 
Byte Sub transformation circuit (207), and the Mix Col- 
umn transformation circuit (21 0). Such an encryption cir- 
cuit reduces a scale of circuit and can achieve a certain 
level of high-speed processing In the Implementation of 
the AES block cipher. 



CM 
< 

o> 

CO 
CO 



Q. 

LU 



. A SEL> 1 128bik im Ufa* 



*04 — i Rwwd *«v Addrtioti H — Fwv J — Eluded *Of 



V MimonH — iAHV h_ 



hfeermedlata Vafun Rej'rtor/ 



p r 

06 Outpwt 32 Bhn 



Fig. 4 



Printed by Jouvb, 75001 PARIS (FH) 

PAGE 5/12 * RCVD AT 6/4/2006 12:03:38 PM [Eastern Daylight Time] * 8VR:USPTO-EFXRF-3/18 * DNI8:2738300 * CSID: 66 1-460-1986 * DURATION (mm-ss):07-56 



6/4/2006 10:03 AM FROM: 661-460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PAGE: 006 OF 135 



EP 1271 839 A2 

Description 

BACKGROUND OF THE INVENTION 
5 Technical Field 

[0001] The present Invention relates to an encryption circuit for implementing in hardware the Rijndael algorithm, 
which is the next generation common key block encryption standard, Known as the AES (advanced encryption stand- 
ard), and will replace the current common.key block encryption standard In the US, called DES. 

10 

Description of Related Art 

[0002] A great variety of services are being considered that involve the Internet, Including electronic commerce and 

electronic money. These technologies are used not just In the daily Dves of individuate, but also in a wide range of 
is fields, Including transactions among corporations and improving prod uctMty. In particular, it is expected that encryption 

functions will be loaded onto smart cards and mobile handsets, for the purpose of verifying the identity of individuals, 

and that these technologies will be widely used for authentication, digital signatures, and data encryption. 

[0003] Common key cryptography is used In these applications to prevent third parties from tapping on the Internet. 

The current standard adopted In the US for common key cryptography is DES; as its replacement, the AES {advanced 
20 encryption standard), known as the Rijndael algorithm, has been selected to be next generation common key block 

cryptography standard, and this algorithm is becoming the new standard. (The AES draft Is available at http://csrc.nist. 

gov/pubilcations/drafts/dfi ps-AES.pdf) - 

[0004] AES is a block cipher for processing in block lengths of 128 bits, and the encryption algorithm, as shown in 
FIG. 1 , is thought to be executable by an encryption circuit comprising a round function unit 20 and a key schedule 
as unit 10. The round function unit 20 comprises an input register 21 that temporarily stores input data, an XQR processing 
unit 22 that XORs the input data and expanded key segment, a round processing unit 23, a final round processing unit 
24 and an output register 25 that temporarily stores output data. 

[0005] The round processing unit 23 comprises a Byte Sub transformation unit 31 , a Shift Row transformation unit 
32, a Mix Column transformation unit 33 anda Round Kay Addition unit 34; the final round processing unit 24 performs 
30 the processing of the round processing unit 23 except forthe Mix Column transformation 33; It comprises a Byte Sub 
transformation unit 35, a Shift Row transformation unit 36 and a Round Key Addition unit 37. 
[0006] Round processing Iterated; the number of rounds Nr including the final round depends on the key length 
inputted into the key schedule unit 10, and is defined as shown in Table 1 . 

35 [Table 1] ; 



Key Length and Number of Rounds 


Key Length 


Nr. 


128bit 


10 


I92brt 


'12 


256bit 


14 



[0007] Thus for each key length round processing is executed NM times, and at the end the final round processing 
is executed. When the key length Is 128 bits, round processing is executed 9 times; when 1 92 bits, 11 times; and when 
256 bits, 13 thnes; and then in each case the final round processing is executed. Round keys generated at the key 
schedule unit 10 are inputted into the XOR processing unit 22, round processing unit 23 and final round processing 
unit 24. 

[0006] The key schedule unit 10 generates round keys based on the key generation schedule specified In the AES 
draft; that algorithm is shown In FIG. 2. 

[0009] The AES Proposal specification (AES Proposal: Rijndael, at http-V/csrc. nist.gov/encryption/aes/rijndael/Rljn' 
dael.pdf) introduces 2 hardware implementations for AES block cipher circuits. 

[0010] One of these is a method for hardware Implementation, in 12B bit units, of all the functions shown In FIG. 1 
as they are (hereinafter, "conventional example 1 U ). In this case, for encryption and decryption, the order of processing 
of the functions is reversed, and thus ft Is necessary to prepare separate processing circuits for encryption and de- 
cryption. 

[001 1] Also, because, as shown in Table 1 , it is necessary to change the number of times round processing is exe- 
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cuted depending upon the key length, It Is necessary to create circuits for each key length. 

[0012] Furthermore, because of the reversal of order between encryption and decryption, theorderof key generation 
In the key schedule unit 1 0forthe round keys used In the round function unit 20 has to be reversed between encryption 
and decryption. Therefore, either there has to be 2 separate key schedule units, for encryption and for decryption, or 

s a method has to be devised for using the key schedule unit 1 0 for both encryption and decryption. 

[0013] The secondmethod, as shown In FIG. 3 f involves creating acoprocessorSOthathasa Byte Sub transformation 
unit 51 and a Mix Column transformation unit 52, and Implementing in hardware only the Byte Sub transformation and 
the Mix Column transformation functions, and having all other functions incorporated as software into a program 41 , 
and then processing with a CPU 40 (hereinafter, "conventional example 2"). 

10 [0014] In this case, Byte Sub transformation and Mix Column transformation, which are unsuited for processing by 
the CPU 40 for reasons of processing time, are implemented in hardware as the coprocessor 50, and the other process- 
ing is processed by the program 41 stored in the CPU, thus allowing the circuit scale to be reduced. 
[0015] If we suppose that the AES block cipher Is to be incorporated Into a smart card or the like, the functions 
required of an encryption circuit would be to maintain a certain level of processing speed, while keeping the scale of 

1* the circuit small. With these requirements, the conventionally proposed method of implementing all the functions in 
128-bit units results In the scale of circuit being too large, making the loading thereof onto a smart card difficult. With 
the method of implementing in hardware only the Byte Sub transformation and the Mjx Column transformation, and 
processing the other functions with software, there Is the problem of the processing speed requirements not being 
fulfilled. 

20 [001.6] Moreover, with the key schedule unit 10 that generates the round, keys, if all the round keys are stored in 
memory, a large-capacity memory Is needed, and this would make the scale of circuit large. Therefore, in order to 
reduce the scale of circuit without reducing processing speed, it Is desirable to generate round keys with a circuit 
constitution that does not require storing the entire expanded key in memory. 

25 SUMMARY OF THE INVENTION 

[001 7] It is a n object of the present invention to present an encryption circuit that is small in scale and that can achieve 
a certain level of processing speed when Implementing the AES block cipher. 

[001 8] The present invention provides an encryption circuit that generates from a cipher key a plurality of round keys 
so having a number of bits corresponding to a predetermined processing block length and executing, for each processing 
block length, input data and round key encryption/decryption processing/by means of a round function unit comprising 
an XOR operation unit that XORs the input data and one of the round keys and a round processing unit that iterates 
round- processing that Includes Byte Sub transformation, Shift Row transformation, Mix Column transformation and 
Round Key Addition, wherein: 

35 the round processing unit comprises: a first selectorthat segments input data Into execution block lengths smallerthan 
the processing block length; a first Round Key Addition circuit that adds the round key value to input data for each the 
execution block length; an intermediate register/Shift Row transformation circuit that temporarily stores the output of 
the first Round Key Addition circuit and executes Shift Row transformation using the processing block length; a Byte 
Sub transformation circuit wherein the intermediate register/Shift Row transformation circuit value is inputted for each 

fo the execution block length and Byte Sub transformation is executed; a second Round Key Addition circuit wherein the 
intermediate register/Shift Row transformation circuit value is Inputted for each the execution block length and the 
round key value Is added for each the execution block length; a Mix Column transformation circuit executing Mix Column 
transformation on the output of the second Round Key Addition circuit; and a second selector that outputs to the first 
Round Key Addition circuit one output from among the outputs of the first selector, intermediate register/Shift Row 

45 transformation circuit, Byte Sub transformation circuit, or Mix Column transformation circuit. 

[0019] Here, the execution block length can be a multiple of 8 bits, the processing block length can be 128 bits and 
the execution block length can be 32 bits. 

[0020] Further, the key length of the cipher key can be any of 1 28 bits, 1 92 bits or 256 bits. 

[0021 ] Also, the Byte Sub transformation circuit can comprise a matrix operation unit for decryption that executes a 
50 matrix operation on input data; a third selector that outputs either the Input data or the output of the matrix operation 
unit for decryption; an Inverse operation unit for executing an inverse operation on the data outputted from the third 
selector; a matrix operation unit for encryption that executes a matrix operation on the data outputted from the Inverse 
operation unit; and a fourth selector that outputs either the output of the inverse operation unit or the output of the 
matrix operation unit for encryption . 
55 [0022] Further, the matrix operation unit for decryption and the matrix operation unit for encryption comprises an 
XOR circuit so as to perform 8-blt operations at one dock cycle and the matrix operation unit for decryption and the 
matrix operation unit for encryption comprises an XOR circuit so as to perform 1-bit operations at one clock cycle. 
[0023] Also, the intermediate register/Shift Row transformation circuit can be usedfor both encryption anddecryption 
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through the reversal of order of Input of shift data relating to amount of shift for data to be inputted into the intermediate 
register/Shift Row transformation circuit, the input order for decryption being the reverse of the order for encryption. 
[0024] Further, the Mix Column transformation circuit can comprise a plurality of multiplication units with unique 
multipliers and an XOR circuit that performs XOR operations for the plurality of multiplication units, the Mix Column 

3 transformation circuit executing a matrix operation between data inputted into each multiplication unit and the multiplier 
established for each multiplication unit. In this case, the Mix Column transformation circuit comprises 4 operation units 
having 4 multiplication units capable of 8-bit unit operations and XOR circuits that execute XOR operations based on 
the outputs of the 4 multtpl ication units. This mu Implication u nits can control 2 multipl iers and are used for both encryption 
and decryption and the multiplication units can be constituted to control addition values from high-order bits. 

io [0025] Also, an encryption circuit can be constituted so as to have a key expansion schedule circuit that generates 
from the cipher key, as an expanded key segmented into bit numbers corresponding to the execution block length, a 
plurality of round keys with bit numbers corresponding to a predetermined processing block length. The key expansion 
schedule circuit comprises: 

a fifth selector that segments a cipher key Into the number of bits corresponding to the execution block length and 
outputs the same; 

a shift registerto which flip-flop circuits are connected at a plurality of stages, the flip-flop circuits latching data In 
units of the execution block length; 

a first XOR circuit that XORs the output of the final stage flip-flop circuit of the shift register with one constant 
selected from among a group of constants; 

a sixth selector Into which are inputted the outputs of those flip-flops of the shift register that are involved in oper- 
ations for encryption and the outputs of those flip-flops involved in operations for decryption, and which selectively 
outputs one of these; 

a Rot Byte processing circuit that rotates the output of the sixth selector; 

a seventh selector into which the output of the sixth selector and the output of the Rot Byte circuit is inputted and 
which selectively outputs one of these; 

a Sub Byte processing circuit that executes Byte Sub transformation oh the output of the seventh selector for each 
the execution block length; 

an eighth selector Into which the output of the sixth selector and the output of the Sub Byte processing circuit are 
Inputted, and which selectively outputs one of these; 

a second XOR circuit that executes an XOR operation based on the output of the first XOR circuit and the output 
of the eighth selector; and 

a shift register unit selector that selectively outputs, to those flip-flops of the shift register the outputs of which are 
subject to operations for encryption, either the output of the second XOR circuit or the output of the adjacent stage 
flip-flop. 

[0026] Here, the shift register comprises 8 flip-flops executing data processing in 32-bit units, and the sixth selector 
Is constituted so that the outputs of the second, fourth, sixth and eighth Hip-flops from the bottom from among the flip- 
flops are inputted therein, and that it outputs one of these. 

[0027] Also, through the input into the seventh selector of the output of the intermediate register/Shift Row transfor- 
mation circuit and the Input into the second selector of the output of the Sub Byte processing circuit, a single circuit 
can be used for the Sub Byte processing circuit and the Byte Sub transformation circuit of the round processing unit. 
[0028] From the following detailed description in conjunction with the accompanying drawings, the foregoing and 
other objects, features, aspects and advantages of the present Invention will become read! ly apparent to those skilled 
In the art. 

BRIEF DESCRIPTION OF THE DRAWINGS 
[0029] 

SO 

FIG. 1 Is a block diagram of AES processing using the Rijndael algorithm; 
FIG. 2 is a key schedule program Rst; 

FIG. 3 is a block diagram showing one envisioned circuit implementation; 

FIG. 4 is a block diagram of a round function unit adopted In a first embodiment of the present invention; 
55 FIG. 5 is a block diagram showing an intermecfiate register/Shift Row transformation circuit; 

FIG. 6 fs a block diagram showing a Mix Column transformation circuit; 
FIG. 7 Is a block diagram showing the constitution of a multiplication unit; 
FIG. 8 is a block diagram showing another constitution of a multiplication unit; 
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FIG. 9 is a block diagram showing a key schedule unit; 
FIG. 10 is a block diagram showing a Byte Sub transformation circuit; 
FfG. 11 is a block diagram showing a matrix operation circuit for encryption; 
FIG. 12 Is a block diagram showing a matrix operation circuit tor decryption; 
s FIG. 1 3 is a block diagram showing another example of a matrix operation circuit for encryption; and 

FIG. 14 is a block diagram showing another example of a matrix operation circuit for decryption. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

io Round Function Unit 

[0030] The AES block cipher is an algorithm that encrypts/decrypts the 128 bit data with the 128 bit, 1 92 bit or 256 
bit key. As shown in FIG. 1, it comprises a key schedule unit 10 that generates a plurality of round keys from the cipher 
key, and a round function unit 20 that uses the round keys inputted from the key schedule unit 1 0 to encrypt and decrypt. 

is The round function unit 20 performs such processing as XOR operations, Byte Sub transformation processing, Shift 
Row transformation processing, Mix Column transformation processing, Round Key Addition processing. . 
[0031] The first embodiment of the present Invention is a circuit for implementation of this round function unit 20, 
and the constitution of this circuit is shown in FIG. 4. Each circuit block executes 32-blt processing with the exception 
of Shift Row transf ormation process lng : which is 1 28-blt processing; transfer of data between circuit blocks is executed 

20 in 32-bit units. 

[0032] This round function unit contains: an Input register 201 that temporarily stores input data; a first selector 202 
that selects 32-blt data from the 128-bit input data; a second selector 203 Into one input terminal of which the output 
of the first selector 202 is inputted; a first Round Key Addition circuit 204 into which the output of the second selector 
203 is inputted; an add data selector 205 that inputs into the first Round Key Addition circuit 204 an expanded key 

25 segment or u O"; an intermediate register/Shift Row transformation circuit 206 that stores the output value of the first 
Round Key Addition circuit 204 and executes Shift Row transformation in 128-bit units; a Byte Sub transformation 
circuit 207 Into which intermediate register/Shift Row transformation circuit 20e values are inputted and which executes 
Byte Sub transformation; a second' Round Key Addition circuit 208 into which Intermediate register/Shift Row transfor- 
mation circuit 208 values are inputted for each 32 bits; an add data selector 20g which inputs into the second Round 

50 Key Addition circuit 208 an expanded key segment or "0"; and a Mix Column transformation circuit 21 0 which executes 
Mix Column transformation on the output of the second Round Key Addition circuit 208. The outputs ofthe first selector 
202, Byte Sub transformation circuit 207, Mix Column transformation circuit 210, and .intermediate register/Shift Row 
transformation circuit 206 are inputted into the second selector 203, and one of these outputs is outputted to the first 
Round Key Addition circuit 204. 

35 

Operation Schedule during Encryption 

[0033] The operation schedule during encryption in the round function unit is shown in Table 2. 

40 



. 45 



BO 



55 



5 

PAGE 9/12 * RCVD AT 6/4/2006 12:03:38 PM [Eastern Daylight Time] * SVR:USPT0-EFXRF-3/18 ■ DNIS:2738300 * CSID: 661 -460-1986 * DURATION (mm-ss):07-56 



6/4/2006 10:03 AM FROM: 661-460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PAGE: 010 OF 135 



EP 1 271 839 A2 



(Table 2] 



Round Function Operation Schedule 



5 


Round 


Cycle 


Prncanlnff 


SELJU 




0 


000-003 


Round Key Addition 


a 


10 




004-007 


wy^w wuu 1 1 aiiaim * imuiui i 


b 


t 

■ 


006 


Shift Row Transformation 


c j 


15 






ivha. wroiuiiin i rarksio rrnaruon 
Round Key Addition 


c 




013-016 


FtvtA rm Trancfnrna^i/wi 

wyw ouo 1 1 ans I ot 1 1 iduon 


h- 




2 


017 


Shift Row transformation 


c 


20 




018-021 


lYiix i^oiurnn i ransTorrrutiiori 
Round Key Addition 


c 






- 

Omitted 


■ 




25 














#1 . 


Byte Sub Transformation 


. b 




NH 


(Nr-1)*9-1 


Shift Row Transformation 


• c ■ 


30 




<Nr-1)*9- 
(Nr-1)*9+3 


Mix Column Transformation 
Round Key Addition 


c 






U2 


Byte Sub Transformation 


b 


35 


Nr 


Nr*9-1 


Shift Row Transformation 


d 






Nr*9- 
Nr*9+3 


Round Key Addition 


d 



40 



45 



#1:(Nr-1)*9-5.(Nr-1)*9"2 
#2:Nr*9-5-Nr*9-2 

Note: The table shows operations during encryptioa 
In decryption, the order of round key and Mix 
Column processings is switched 
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[0034] Here, In round 0, addition of an expanded key segpnent Is executed by the first Round Key Addition circuit 
204 with a selector position of "a" for the second selector 203. Input data in the input register 201 is selected in 32 bit 
units by the first selector 202 and inputted into the first Round Key Addition circuit 204, and to this Is added a portion 
of a round key, inputted from the key schedule unit, this portion being a 32-bit segment of the expanded key. While the 
input data and the expanded key are being changed into 32-bit units, the first Round Key Addition circuit 204 executes 
addition processing, and tho XOR processing of the XOR unit 22 in FIG, 1 Is thereby executed on 1 28-b'rt processing 
blocks In the 4 cycles of cycles 000 through 003. The result of the operation by the first Round Key Addition circuit 204 
is stored in order In 32-bit units in the intermediate register/Shift Row transformation circuit 206. 
[0035] In round 1 , the round processing 23 in FIG. 1 is executed, and Byte Sub transformation processing 31 , Shift 
Row transformation processing 32, Mix Column transformation processing 33, and Round Key Addition processing 34 
are executed. Thus, first of ail, in cycles 004 through 007, with a selector position of "b" for the second selector 203, 



8 

PAGE 10/12 • RCVD AT 6/4/2006 12:03:38 PM [Eastern Daylight Time] * 8VR:USPTO-EFXRF<J/18 • DN18:2738300 * CSID: 66 1-4 60-1 986 • DURATION <mm-ss):07*6 



6/4/2006 10:03 AM FROM: 661-460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PAGE: Oil OF 135 

EP 1 271 839 A2 

the data stored fn the intermediate register/Shift Row transformation circuit 206, while being shifted in 32-bit units, is 
read out and Inputted into the Byte Sub transformation circuit 207. At this time, by making the data to be selected by 
the add data selector 205 "Q\ the first Round Key Addition circuit 204 is put into a masked state. The result of the 
operations of Byte Sub transformation circuit 207 Is stored In order in 32-bit units in the intermediate register/Shift Row 
5 transformation circuit 206. Thus Byte Sub transformation processing performs on 128 bits, and the result is stored in 
the Intermediate register/Shift Row transformation circuit 206. 

[0036] Next, in cycle 008, Shift Row transformation processing Is executed. The intermediate register/Shift Row • 
transformation circuit 206 is capable of executing Shift Row transformation processing In 128-bit units, and in this cycle - 
0Q8, 128-bit Shift Row transformation processing is executed. At this time, the selector position of the second selector 
10 203 may be any position, but in consideration of the processing in the next cycle, a position of "c" is preferable. 

[0037] in cycles 009 through 0012, Mix Column transformation processing and Round Key Addition processing are 
executed. Herein, the data stored In the intermediate register/Shift Row transformation circuit 206, while being shifted 
in 32-blt units, is read out and inputted Into the second Round Key Addition circutt 208. At this time, by making the data 
to be selected by the add data selector 209 n 0\ the second Round Key Addition circuit 208 is put into a masked state. 
is By setting the selector position of the second selector 203 at "cr ( the data upon which Mix Column transformation 
processing has been executed at the Mix Column transformation circuit 21 0 is Inputted into the first Round Key Addition 
circuit 204 via the second selector203. An expanded keysegmentto be inputted from the key schedule unit is selected 
for data to be selected by the add data selector205, and this data undergoes Round Key Addition processing at the 
first Round Key Addition circuit 204. The result of the Mix Column transformation processing at the Mix Column trans- 
20 formation circuit 210 and the Round Key Addition processing at the first Round Key Addition circuit 204 are, while 
being each shifted in 32-bit units, stored in the intermediate ragisterVShift Row transformation circuit 206. Thus, the 
result of the 128 bits upon which Mix Column transformation processing and the Round Key Addition processing were 
executed in cycles 009 through 012 are stored in the intermediate register/Shift Row transformation circuit 206. In this 
manner, one round of processing is executed in the 9 cycles of cycles 004 through 012. 
25 [0038] Next, in rounds 2 through (NM), the same processing as in round 1 is executed {however, Nr is the number 
of processing rounds including the finai round, and as shown In Table 1 , the number of rounds will differ according to 
key length). 

[0039] In round Nr (the final round), the finai round processing 24 of FIG. 1 is executed; this comprises Byte Sub 
transformation processing 35, Shift Row transformation processing 36 and Round Key Addition processing 37. 
30 [0040] Thus in cycles (Nr*9-5) through (Nr*9-2), with the selector position of the second selector 203 at H b", data 
stored in the intermediate register/Shift Row transformation circuit 206, while being shifted In 32-bit units, is read out . 
and inputted into the Byte Sub transformation circuit 207. At this time, by making the data to be selected by the add 
data selector 205 "0*\ the first Round Key Addition circuit 204 is put into a masked state: The result of the operation 
of the Byte Sub transformation circuit 207 is stored In order in 32-blt units in the intermediate register/Shift Row trans- 
35 formation circuit 206. Thus Byte Sub transformation processing of 128 bits is performed, and the result is stored In.the 
■ intermediate register/Shift Row transformation circuit 206. 
[0041] . Next, in the (Nr*9-1) cycle, 128-bit Shift Row processing is executed. At this time, the selection position of 
the second selector 203 may be any position, but In consideration of the processing of the next cycle, a position of "d" 
is preferable; 

4o [0042] In the (Nf*9) through (Nr*9+3) cycles, Round Key Addition processing is executed. Specifically, by making 
the selector position of the second selector203 w d'\ the data stored In the Intermediate register/Shift Row transformation 
circuit 206, while being shifted in 32-bit units, Is read out and Inputted Into the first Round Key Addition circuit 204 via 
the second selector 203. At this time, by making data to be selected by the add data selector 205 an expanded key 
segment to be inputted from the key schedule unit, the first Round Key Addition circuit 204 adds 32-bit round keys. 
45 The result of the Round Key Addition processing by the first Round Key Addition circuit 204 Is stored in the intermediate 
register/Shift Row transformation circuit 206 while being shifted in 32-bit units. Thus In the (Nr*9) through (Nr*9+3) 
cycles, the result of the Round Key Addition processing on the 128 bits is stored in the intermediate register/Shift Row 
transformation circuit 206. in this manner, in the 9 cycles from (Nr*9-5) through (Nr*9+3), final round processing Is 
executed. 

so 

Operation Schedule during Decryption 

[0043] Operations during decryption in this round function unit are performed In the reverse orderto operations during 
encryption. This operation schedule Is shown in Table 3. 

55 
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Round Function Operation Schedule 



Round 


Cycle 


ProcesslR^ 


SELJ3 


0 


000-003 


Round Key Addition 


a 




004 


Shift Row Transformation 


b 




005-008 


Byta Sub Transformation 


b 


1 . 


009-012 


Round Key Addition 

Mix Column Transformation 


c 




013 


Shift Row Transformation 


b 




014-017 


Byte Sub Transformation 


b 
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rouna rsey Aaaiuon 
_Mix Column Transformation 
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<Nr-1)*9-5 


Shift Row Transformation 
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#1 


Byte Sub Transformation 
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(Nr-1)*9 - 
<Nr-«*9+3 


Round Key AdcStion 

Mix Column Transformation 
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Shift Row Transformation 
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Byte Sub Transformation 
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#2:Nr*9-4-Nr*9-1 
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[0044] In round 0, with the selector position of the second selector 203 at "a", the first Round Key Addition circuit 

204 adds expanded key segments. Input data in the Input register 201 is selected in 32-bit units by the first selector 
202 and Inputted into the first Round Key Addition circuit 204, and from the round key to be inputted from the key 
schedule unit, a 32-bit expanded key segment is added. At this time, data to be inputted via the first selector 202 Is 
inputted In an order that is the reverse of the input order for encryption, and the input order of the expanded .key 
segments to be inputted from the keyschedule input is also the reverse of the input order for encryption. In this manner, 
as the input data and expanded key are changed every 32 bits, the first Round Key Addition circuit 204 executes add 
processing, thereby allowing execution of Round Key Addition processing on a 1 28-blt processing block in cycles 000 
through 003. The result of the operations of the first Round Key Addition circuit 204 is stored in 32-bit unite In the 
intermediate register/Shift Row transformation circuit 206, . 

[0045] In round T, processing is performed in the order of Shift Row transformation, Byte Sub transformation, Round 
Key Addition, and Mix Column transformation. For this reason, first, In cycle 004, in the intermediate register/Shift Row 
transformation circuit 206, Shift Row transformation processing is executed In 128-bit units- In this case the processing 
Is the same as the Shift Row transformation processing during encryption. Also, the selector position of the second 
selector 203 may. be any position, but in consideration of the processing in the next cycle, a position of "b" is preferable. 
[0046] Next, in cycles 005 through 008, with a selector position of "b w for the second selector 203, data stored in the 
intermediate regfeter/Shlft Row transformation circuit 206, while being shifted in 32-bit units, Is read out and inputted 
Into the Byte Sub transformation circuit 207. At this time, by making the data to be selected by the add data selector 

205 V, the first Round Key Addition circuit 204 Is put into a masked state. The result of the operation by the Byte Sub 
transformation circuit 207 is stored In order in the intermediate register/Shift Row transformation circuit 206 In 32-bit 
units. In this case, the Byte Sub transformation processing Is executed so as to be the inverse of the transformation 
processing during encryption; this will be discussed below. In this manner, Byte Sub transformation processing Is 
performed on 1 28 bits, and the result is stored in the intermediate register/Shift Row transformation circuit 206. 
[0047] In cycles 009 through 012, Round Key Addition processing and Mix Column transformation processing are 
executed. Here, data stored in the intermediate register/Shift Row transformation circuit 206, while being shifted in 
32-brt units, is read out and inputted into the second Round Key Addition circuit 208. At this time, data selected by the 
add data selector 209 is made the expanded key segment inputted from the key schedule unit. Also, with the selector 
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